Latest HIPAA News

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats.

The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use.

More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and move toward consistency in mitigating key threats to healthcare organizations. Through the website, organizations in the HPH sector can subscribe to a bi-monthly 405(d) newsletter and will have easy access to threat-specific products to support cybersecurity awareness and training efforts.

“The new 405(d) Program website is a step forward for HHS to help build cybersecurity resiliency across the Healthcare and Public Health Sector. This is also an exciting moment for the HHS Office of the Chief Information Officer in our ongoing partnership with industry,” said Christopher Bollerer, HHS Acting Chief Information Security Officer.

“This website is the first of its kind! It’s a unique space where the healthcare industry can access vetted cybersecurity practices specific to the HPH sector on a federal government website,” said Erik Decker, 405(d) Task Group Industry co-lead. “I think it’s a great resource for the HPH sector to turn to and will surely be a go-to site for organizations that want to better protect their patients and facilities from the latest cybersecurity threats.”

The post HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records.

The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified.

The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the requested records or for unnecessary delays. In some cases, patients have had to wait many months before they were provided with a copy of their records.

The latest announcement by OCR brings the total number of HIPAA Right of Access enforcement actions under the 2019 enforcement initiative up to 25.

In all of the new cases below, OCR determined the healthcare providers were in violation of 45 C.F.R. § 164.524 and had not provided timely access to protected health information about the individual after receiving a request.

Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, agreed to settle OCR’s investigation and paid a $32,150 financial penalty and will be monitored by OCR for compliance with its corrective action plan for 2 years. The investigation stemmed from a complaint from a patient who requested his medical records on November 25, 2019, but was not provided with the records until March 19, 2020.

Denver Retina Center, a Denver, CO-based provider of ophthalmological services, settled its investigation with OCR and paid a $30,000 financial penalty and will be monitored for compliance with its corrective action plan for 12 months. A patient alleged she had requested her records in December 2018 but did not receive a copy of her records until July 26, 2019. OCR had provided technical assistance to the healthcare provider following receipt of a previous HIPAA Right of Access complaint from the same patient and closed the case. When evidence was received of continued non-compliance the case was reopened. OCR determined that in addition to the delay, Denver Retina Center’s access policies and procedures were not compliant with the HIPAA Privacy Rule, as required by 45 C.F.R. § 164.530(i).

Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, settled OCR’s investigation and paid a $160,000 financial penalty and will be monitored for compliance with the corrective action plan for 12 months. OCR had received three complaints from a patient who had not been provided with a copy of her medical records. The patient had requested a copy of her records on October 1, 2019, and November 21, 2019, and did not receive the requested records until May 22, 2020.

Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, settled OCR’s investigation and paid a $10,000 financial penalty and has agreed to take corrective action to prevent further HIPAA Right of Access violations. OCR had received a complaint from a patient who requested a copy of her medical records on June 27, 2019 and paid a $25 flat fee, which is the standard fee charged by Wake Health Medical Group for providing copies of medical records. As of the date of the settlement, the patient has still not been provided with the requested records.

Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, did not cooperate with OCR during the investigation, although did not contest the findings and waived his right to a hearing. A civil monetary penalty of $100,000 was imposed by OCR. An investigation was launched following receipt of a complaint from a former patient who alleged he had made several written and verbal requests for a copy of his medical records between 2013 and 2014. The complaint was filed with OCR on November 9, 2017, and the case was closed by OCR on December 15, 2017, after advising Dr. Glaser to investigate the complaint and provide the requested records if the requests were in line with the HIPAA Right of Access. The patient filed a further complaint with OCR on March 20, 2018, and provided evidence of further written requests. OCR tried to contact Dr. Glaser on multiple occasions by letter and phone, but he repeatedly failed to respond, hence the decision to impose a civil monetary penalty.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

The post HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations appeared first on HIPAA Journal.

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance for enterprises to help them secure mobile devices and safely access enterprise resources using mobile devices.

The Enterprise Mobility Management (EMM) system checklist has been created to help businesses implement best practices to mitigate vulnerabilities and block threats that could compromise mobile devices and the enterprise networks to which they connect. The steps outlined in the checklist are easy for enterprises to implement and can greatly improve mobile device security and allow mobile devices to be safely used to access business networks.

CISA recommends a security-focused approach to mobile device management. When selecting mobile devices that meet enterprise requirements, an assessment should be performed to identify potential supply chain risks. The Mobile Device Management (MDM) system should be configured to update automatically to ensure it is always running the latest version of the software and patches are applied automatically to fix known vulnerabilities.

A policy should be implemented for trusting devices, with access to enterprise resources denied if the device does not have the latest patch level, has not been configured to enterprise standards, is jailbroken or rooted, and if the device is not continuously monitored by the EMM.

Strong authentication controls need to be implemented, including strong passwords/PINs, with PINs consisting of a minimum of 6 digits. Wherever possible, face or fingerprint recognition should be enabled. Two-factor authentication should be implemented for enterprise networks that require a password/passphrase plus one additional method of authentication such as an SMS message, rotating passcode, or biometric input.

CISA recommends practicing good app security, including only downloading apps from trusted app stores, isolating enterprise applications, minimizing PII stored in apps, disabling sensitive permissions, restricting OS/app synchronization, and vetting enterprise-developed applications.

Network communications should be protected by disabling unnecessary network radios (Bluetooth, NFC, Wi-Fi, GPS) when not in use, disabling user certificates, and only using secure communication apps and protocols such as a VPN for connecting to the enterprise network.

Mobile devices should be protected at all times. A Mobile Threat Defense (MTD) system should guard against malicious software that can compromise apps and operating systems and detect improper configurations. Devices should only be charged using trusted chargers and cables, and the lost device function should be enabled to ensure the devices are wiped after a certain number of incorrect login attempts (10 for example). It is also important to protect critical enterprise systems and prevent them from being accessed using mobile devices due to the risk of transferring malware.

The CISA mobile device cybersecurity checklist for organizations can be downloaded here.

The post CISA Publishes Mobile Device Cybersecurity Checklist for Organizations appeared first on HIPAA Journal.

Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned organizations in the United States about the increased risk of cyberattacks over Thanksgiving weekend.

Cyber threat actors are often at their most active during holidays and weekends, as there are likely to be fewer IT and security employees available to detect attempts to breach networks. Recent attacks have demonstrated holiday weekends are prime time for cyber threat actors, with Las Vegas Cancer Center one of the most recent victims of such an attack on the Labor Day weekend.

The warning applies to all organizations and businesses, but especially critical infrastructure firms. Cyber actors around the world may choose Thanksgiving weekend to conduct attacks to disrupt critical infrastructure and conduct ransomware attacks.

CISA and the FBI are urging all entities to take steps to ensure risk is effectively mitigated ahead of the holiday weekend to help prevent them from becoming the next victim of a costly cyberattack.

Steps that should be taken immediately include a review of current cybersecurity measures and to ensure cybersecurity best practices are being followed. Multi-factor authentication should be activated on all remote and administrative accounts, default passwords should be changed, and strong passwords set on all accounts, with steps taken to ensure passwords are not reused elsewhere.

Remote Desktop Protocol (RDP) is commonly targeted by threat actors, as are other remote access services. It is important to ensure that RDP and remote access services are secured, and connections are monitored. If remote access is not required, these services should be disabled.

Phishing is commonly used to gain access to networks. It is important to remind employees to exercise caution with email, never to click on suspicious links in messages, or to open attachments in unsolicited emails. Phishing scams often spoof trusted entities such as charities, well-known brands, vendors, and work colleagues and phishing campaigns are conducted in large numbers at this time of year targeting holiday season shoppers, especially in the run-up to Black Friday and Cyber Monday.  Over the next couple of days, it is wise to conduct exercises to raise awareness of security risks.

All staff members will likely want to have time off over Thanksgiving weekend, but it is important to identify IT security employees who can be available to surge into action should a security incident or ransomware attack occur. Prompt action can greatly reduce the severity and cost of a cyberattack.

It is also recommended to review and update incident response and communication plans to ensure they will be effective in the event of a cyberattack. This month, CISA issued new cybersecurity incident and vulnerability response playbooks to help federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities; however, they can be used by all businesses for developing cybersecurity incident and vulnerability response plans.

Mitigations and cybersecurity best practices that can be adopted to reduce risk are detailed in the previously released CISA alert – Ransomware Awareness for Holidays and Weekends.

The post Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend appeared first on HIPAA Journal.

HHS Warns Healthcare Sector About Risk of Zero-day Attacks

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief warning the healthcare and public health sector about an increase in financially motivated zero-day attacks, outlining mitigation tactics that should be adopted to reduce risk to a low and acceptable level.

A zero-day attack leverages a vulnerability for which a patch has yet to be released. The vulnerabilities are referred to as zero-day, as the developer has had no time to release a patch to correct the flaw.

Zero-day attacks are those where a threat actor has exploited a zero-day vulnerability using a weaponized exploit for the flaw. Zero-day vulnerabilities are exploited in attacks on all industry sectors and are not only a problem for the healthcare industry.  For instance, in 2010, exploits were developed for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which caused Iranian centrifuges to self-destruct to disrupt Iran’s nuclear program.

More recently in 2017, a zero-day vulnerability was exploited to deliver the Dridex banking Trojan. While it would normally be necessary for an individual to take additional actions after opening a malicious email attachment for malware to be downloaded, by including an exploit for a zero-day vulnerability the threat actors were able to install the Dridex banking Trojan if an individual simply opened an infected email attachment. A zero-day vulnerability was also exploited this year in the 2021 SonicWall ransomware attacks. The vulnerability was identified by the UNC2447 threat group and was exploited to deliver FiveHands ransomware.

The very nature of zero-day vulnerabilities means it is not possible to eliminate risk entirely, as software developers need to develop patches to fix the vulnerabilities, but strategies can be adopted to reduce the potential for zero-day vulnerabilities to be exploited.

The number of detected exploits for zero-day vulnerabilities more than doubled between 2019 and 2021. This is, in part, due to the high value of exploits for zero-day flaws. The price paid for working exploits rose by more than 1,150% between 2018 and 2021. While the market for zero-day exploits was limited to a handful of groups with deep pockets, there are now many threat actors with considerable resources that are willing to pay as they know they can make their money back many times over by using the exploits in their attacks. Now, an exploit for a zero-day vulnerability could be worth more than $1 million.

Zero-day attacks specifically conducted against the healthcare sector are a very real possibility. In August this year, a zero-day vulnerability dubbed PwnedPiper was identified in the pneumatic tube systems used in hospitals to transport biological samples and medications. The vulnerability was identified in the control panel, which would allow unsigned firmware updates to be applied. An attacker could exploit the flaw and take control of the system and deploy ransomware.

In August 2020, four zero-day vulnerabilities were identified that exposed OpenClinic patients’ test results. Unauthenticated attackers could successfully request files containing sensitive documents from the medical test directory, including medical test results.

The best defense against zero-day vulnerabilities is to patch promptly, but patching is often slow, especially in healthcare. In 2019, a survey conducted by the Ponemon Institute revealed the average time to apply, test, and deploy a patch for a zero-day vulnerability was 97 days after the patch was released.

The advice of HC3 is to “patch early, patch often, patch completely.” HC3 provides up-to-date information on actively exploited zero-days and the available patches to fix zero-day flaws. HC3 also suggests implementing a web-application firewall to review incoming traffic and filter out malicious input, as this can prevent threat actors from gaining access to vulnerable systems. It is also recommended to use runtime application self-protection (RASP) agents, which sit inside applications’ runtime and can detect anomalous behavior. Segmenting networks is also strongly recommended.

The TLP: WHITE Zero-Day Threat Brief is available for download on this link.

The post HHS Warns Healthcare Sector About Risk of Zero-day Attacks appeared first on HIPAA Journal.

October 2021 Healthcare Data Breach Report

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021.

Healthcare Data Breaches (November 20-October 21)

The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021.

Healthcare records breached (november 20-october 21)

Largest Healthcare Data Breaches in October 2021

There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause
Eskenazi Health IN Healthcare Provider 1,515,918 Hacking/IT Incident Ransomware attack
Sea Mar Community Health Centers WA Healthcare Provider 688,000 Hacking/IT Incident Ransomware attack
ReproSource Fertility Diagnostics, Inc. MA Healthcare Provider 350,000 Hacking/IT Incident Ransomware attack
QRS, Inc. TN Business Associate 319,778 Hacking/IT Incident Unauthorized network server access
UMass Memorial Health Care, Inc. MA Business Associate 209,048 Hacking/IT Incident Phishing attack
OSF HealthCare System IL Healthcare Provider 53,907 Hacking/IT Incident Ransomware attack
Educators Mutual Insurance Association UT Health Plan 51,446 Hacking/IT Incident Unauthorized network access and malware infection
Lavaca Medical Center TX Healthcare Provider 48,705 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance, LLC PA Healthcare Provider 47,173 Unauthorized Access/Disclosure Phishing attack on a vendor
Nationwide Laboratory Services FL Healthcare Provider 33,437 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Michigan, PLLC PA Healthcare Provider 26,054 Unauthorized Access/Disclosure Phishing attack on a vendor
Syracuse ASC, LLC NY Healthcare Provider 24,891 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance of Georgia, PLLC PA Healthcare Provider 23,974 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Florida, LLC PA Healthcare Provider 18,626 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Illinois, PLLC PA Healthcare Provider 16,673 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Healthcare Management, Inc. TN Healthcare Provider 12,306 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Tennessee, LLC PA Healthcare Provider 11,217 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of New York, PLLC PA Healthcare Provider 10,778 Unauthorized Access/Disclosure Phishing attack on a vendor

Ransomware attacks continue to plague healthcare organizations and threaten patient safety. Half of the top 10 data breaches involved ransomware, including the top three data breaches reported in October.

The worst breach of the month was reported by Eskenazi Health. The PHI of more than 1.5 million patients was exposed and patient data is known to have been stolen in the attack. A major ransomware attack was also reported by Sea Mar Community Health Centers. Its systems were first compromised in December 2020, the ransomware attack was identified in March 2021, and Sea Mar was notified about the posting of patient data on a darknet marketplace in June. It took until late October to issue notifications to affected individuals.

Hackers often gain access to healthcare networks through phishing attacks, and phishing remains the leading attack vector in ransomware attacks. Large quantities of sensitive data are often stored in email accounts and can easily be stolen if employees respond to phishing emails. A phishing attack on UMass Memorial Health Care resulted in the exposure of the PHI of 209,048 individuals, and a phishing attack on a vendor used by the Professional Dental Alliance exposed the PHI of more than 174,000 individuals.

Causes of October 2021 Healthcare Data Breaches

Data breaches classified as hacking/IT incidents, which include ransomware attacks, were the main cause of data breaches in October. 57.63% of all breaches reported in the month were classified as hacking/IT incidents and they accounted for 94.14% of all breached records (3,378,842 records). The average size of the data breaches was 99,378 records and the median breach size was 5,212 records.

Causes of October 2021 healthcare data breaches

22 breaches were classified as unauthorized access/disclosure incidents and involved the PHI of 200,887 individuals. Those breaches include the phishing attack that affected the Professional Dental Alliance. The average breach size was 9,131 records and the median breach size was 4,484 records.

There were 4 breaches reported that involved the loss or theft of physical PHI or electronic devices containing PHI, 3 of which were theft incidents and 1 was a lost laptop computer. The PHI of 9,403 individuals was exposed as a result of those incidents. The average breach size was 2,351 records and the mean breach size was 1,535 records.

Location of breached protected health information -October 2021

Healthcare Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected covered entity type with 43 reported breaches. 8 data breaches were reported by business associates of HIPAA-covered entities and 8 were reported by health plans. Many data breaches occur at business associates of HIPAA-covered entities but are reported by the affected covered entity. The pie chart below shows the breakdown of breaches based on where they occurred.

October 2021 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 26 states. Pennsylvania was the worst affected state with 12 reported breaches, although 11 of those breaches were the same incident – the phishing attack on the Professional Dental Alliance vendor that was reported separately by each affected HIPAA-covered entity.

State No. Breaches
Pennsylvania 12
California 5
Illinois, Indiana, & Texas 4
New York & Washington 3
Connecticut, Florida, Massachusetts, New Jersey, North Carolina & Tennessee 2
Alabama, Arkansas, Kansas, Kentucky, Minnesota, Mississippi, Nebraska, Ohio, South Carolina, Utah, Virginia, & West Virginia 1

HIPAA Enforcement Activity in October 2021

There was only one HIPAA enforcement action announced in October. The New Jersey Attorney General agreed to settle an investigation into a data breach reported by Diamond Institute for Infertility and Menopause that resulted in the exposure of the PHI of 14,663 New Jersey residents.

The New Jersey Department of Law and Public Safety Division of Consumer Affairs uncovered violations of 29 provisions of the HIPAA Privacy and Security Rules, and violations of the New Jersey Consumer Fraud Act. In addition to paying $495,000 in civil monetary penalties and investigation costs, Diamond agreed to implement additional measures to improve data security.

The post October 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) warning of ongoing attacks by an Iranian Advanced Persistent Threat (APT) actor on critical infrastructure sectors including the healthcare and public health sector.

Cyber actors known to be associated with the Iranian government have been exploiting vulnerabilities in the Fortinet FortiOS operating system since at least March 2021, and have been leveraging a Microsoft Exchange ProxyShell vulnerability since October 2021 to gain access to targets’ networks.

The attacks appear to be focused on exploiting the vulnerabilities rather than any specific sector. Once the vulnerabilities have been exploited to gain a foothold in networks, the threat actor can perform a range of follow-on operations, which have included data exfiltration and data encryption.

The threat actors are exploiting three vulnerabilities in Fortinet Devices – CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812, and the CVE-2021-34473 in Microsoft Exchange. Patches have been released to fix the flaws that are being exploited, but many organizations have been slow to apply the patches and remain vulnerable.

Post-exploitation, the threat actors use legitimate tools to achieve their objectives, including Mimikatz for credential theft, WinPEAS for privilege escalation, SharpWMI, WinRAR for archiving data of interest, and FileZilla for transferring files. They are known to make modifications to the Task Scheduler and establish new user accounts on domain controllers, servers, workstations, and active directories. In some attacks, the accounts have been created to look similar to genuine accounts on the network to reduce the risk of detection. Data of interest have been exfiltrated via File Transfer Protocol (FTP) transfers over port 443.

The alert provides Indicators of Compromise (IoCs) for organizations using Fortinet devices and/or Microsoft Exchange, and several mitigations that will reduce the risk of compromise, the most important of which is to apply the patches to fix the above vulnerabilities as soon as possible.

The post Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities appeared first on HIPAA Journal.

Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft

A recent survey conducted by the unified asset visibility and security platform provider Armis has explored the state of cybersecurity in healthcare and the security risks that are now faced by healthcare organizations.

The survey was conducted by Censuswide on 400 IT professionals at healthcare organizations across the United States, and 2,000 U.S. patients to obtain their views on cybersecurity and data breaches in healthcare.

The survey confirmed cyber risk is increasing, with 85% of respondents saying cyber risk has increased over the past 12 months. Ransomware gangs have targeted the healthcare industry over the past 12 months, and many of those attacks have succeeded. 58% of the surveyed IT professionals said their organization had experienced a ransomware attack in the past 12 months.

Ransomware attacks were viewed as a cause of concern by 13% of IT security pros, indicating most are confident that they will be able to recover data in the event of an attack. However, data breaches that result in the loss of patient data were a major worry, with 52% of IT pros rating data loss as a top concern, with attacks on hospital operations rated as a major concern by 23% of healthcare IT pros.

Defending against cyberattacks is becoming increasingly difficult due to the expanding attack surface. Armis says there are now 430 million connected healthcare devices worldwide, and that number is continuing to rise. When asked about the riskiest systems and devices, building systems such as HVAC were the biggest concern with 54% of IT professionals rating them as a major cybersecurity risk. Imaging machines were rated as among the riskiest by 43% of respondents, followed by medication dispensing equipment (40%), check-in kiosks (39%), and vital sign monitoring equipment (33%). While there is concern about the security of these systems and medical devices, 95% of IT professionals said they thought their connected devices and systems were patched and running the latest software.

The increase in cyberattacks on the healthcare sector is influencing healthcare decisions. 75% of IT professionals said recent attacks have had a strong influence on decision making and 86% of respondents said their organization had appointed a CISO; however, only 52% of respondents said their organization was allocating more than sufficient funds to cover IT security.

The survey of patients revealed a third had been the victim of a healthcare cyberattack, and while almost half of patients (49%) said they would change healthcare provider if it experienced a ransomware attack, many patients are unaware of the extent of recent cyberattacks and how frequently they are now being reported. In 2018, healthcare data breaches were reported at a rate of 1 per day. In the past year, there have been 7 months when data breaches have been reported at a rate of more than 2 per day.

Despite extensive media reports about healthcare data breaches and vulnerabilities in medical devices, 61% of potential patients said they had not heard about any healthcare cyberattacks in the past two years, clearly showing many patients are unaware of the risk of ransomware and other cyberattacks. However, patients are aware of the impact those attacks may have, with 73% of potential patients understanding a cyberattack could impact the quality of care they receive.

When potential patients were asked about their privacy concerns, 52% said they were worried a cyberattack would shut down hospital operations and would potentially affect patient care, and 37% said they were concerned about the privacy of information accessible through online portals.

There certainly appears to be trust issues, as only 23% of potential patients said they trusted their healthcare provider with their sensitive personal data. By comparison, 30% said they trusted their best friend with that information.

The post Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft appeared first on HIPAA Journal.

New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations

The New Jersey Attorney General and has fined two printing firms $130,000 over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) which contributed to a breach of the protected health information (PHI) of 55,715 New Jersey residents.

Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) provided services to a leading New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. Between October 31, 2016, and November 2, 2016, a printing error resulted in PHI such as claims numbers, dates of service, provider names, facility names, and descriptions of services being mailed to incorrect recipients.

When printing firms or other vendors provide services to HIPAA-covered entities that require access to PHI, they are required to enter into a business associate agreement with the covered entity and must comply with the requirements of the HIPAA Security Rule. The responsibilities of HIPAA business associates include implementing safeguards to ensure the confidentiality, integrity, and availability of any PHI they are provided with.

The New Jersey Division of Consumer Affairs (DCA) launched an investigation into the printing firms and determined printing processes were changed in 2016 which resulted in an error being introduced that saw the final page of one member’s statement being added to the first page of another member’s statement. Procedures should have been implemented to check the benefits statements prior to mailing.

The DCA determined impermissible disclosure of PHI was in violation of HIPAA and the CFA. Specifically, the companies violated HIPAA by failing to ensure the confidentiality of PHI, failing to protect against a reasonably anticipated unauthorized disclosure of PHI, and failing to review and modify security measures to ensure reasonable and appropriate protections were in place to ensure the confidentiality of PHI.

The printing firms disputed the findings of the DCA investigation but agreed to a consent order which requires them to change their business practices and implement new safeguards to protect sensitive data.

The consent order requires a comprehensive security information program to be implemented and the use of an event management tool to identify and track potential vulnerabilities and threats to the confidentiality of PHI. Each company is required to appoint an employee as Chief Information Security Officer. That individual must have sufficient expertise in information security to implement, maintain, and monitor the information security program.

An employee with expertise in HIPAA compliance must be appointed as Chief Privacy Officer, a security awareness and anti-phishing training program must be implemented for the workforce, and policies and procedures must be put in place that require approval to be obtained from clients that store or transmit PHI prior to making material changes to printing processes. $65,000 of the penalty amount will be suspended and will not have to be paid if the companies comply with the terms of the consent order.

“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Bruck. “Inadequate protective measures are unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”

This is the second financial penalty for violations of HIPAA and the CFA to be announced by New Jersey in as many months. In October, Diamond Institute for Infertility and Menopause was fined $495,000 to resolve HIPAA and CFA violations that led to a breach of the PHI of 14,663 New Jersey residents.

The post New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations appeared first on HIPAA Journal.